0

Let's say that a user on my site has a cookie from another site and I know the cookie's name. Basically what I am trying to do is to give users a link to the address bar, and with it a Javascript code which will activate that cookie's value(lets call that cookie "Joe"). For example:

My site will give the user this link: Examplesite.com/page=(here is the code which will activate a specific cookie value with javascript or something)

the output will have to be something like this after reading the value: Examplesite.com/page=54 (lets say that the cookie's value was 54).

I can't do it with normal scripting, since I can't control Examplesite.com cookies (I do not own that website). So I figured, why not give the users a link which the browser will think that the user requested to accsses those cookies(and thats actually true, since he is pasting it), and not some random website. Then all the user will have to do is to paste the it into the address bar, and the address bar will activate it... I am not sure this is even possible. Any answer will be appreciated.

user1938653
  • 611
  • 1
  • 9
  • 21
  • Not going to happen. You would need a server proxy that for example curls to the site and shows the cookies returned if you spoof the user's browser – mplungjan Apr 21 '13 at 19:58
  • You cannot access another site’s cookies from the context of your site. That would violate the [same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy). – Gumbo Apr 21 '13 at 20:00
  • "Violate the same origin policy" - So are you saying that If I for example want to activate a cookie from StackOverflow right now with the address bar using javascript, I can't do it? even though, I can see it's cookie and value... – user1938653 Apr 21 '13 at 20:03
  • What do you mean by activate? You can only access the cookies of the same origin. So only on SO you can access the cookies of SO. – Gumbo Apr 21 '13 at 21:13
  • Looks like you asked this twice already? http://stackoverflow.com/questions/16134135/activating-a-cookie-with-the-address-bar and http://stackoverflow.com/questions/16095360/executing-javascript-in-the-address-bar-in-order-to-get-run-a-cookies-value – Kevin Hakanson Apr 21 '13 at 22:48

1 Answers1

0

Before the days of Firebug and other browser development tools, I used to type the following into the URL bar to see the sites cookies:

javascript:alert(document.cookie)

So, I just went to google.com, then tried this with Firefox 19, Chrome 26 and Safari 6 on my Mac (OS X 10.8).

Chrome let me type javascript:alert(document.cookie), but when I paste it into the URL bar, it stripped the javascript: and just pasted alert(document.cookie), which ran a google search.

Safari alerted the cookies on paste, but Firefox would not allow pasting, nor typing.

Those results were direct user input, and had mixed results. With a link from another site, and all the "cross domain" security issues, this is not going to work. If you think of it, this is really another form of a Cross-site scripting (XSS) attack.

Kevin Hakanson
  • 41,386
  • 23
  • 126
  • 155
  • How is this XSS? I am trying to accsses my own cookies stored on my browser. The only thing that I am trying to do is to get a specific cookie's value to be shown into the browser... – user1938653 Apr 21 '13 at 23:12
  • You are liking from one site, into another site (cross site), trying to get information set by that site – Kevin Hakanson Apr 21 '13 at 23:15
  • No, Now I'd only like to know how to find a specific cookie's value by using javascript on the address bar... that means - I enter Javascript code into the browser, the result is the cookie's specific value. – user1938653 Apr 21 '13 at 23:33